Recent
Articles |
Application.cfc Methods & Example Uses
A reader commented yesterday that my Application.cfc reference doesn't really say how to use the various methods...
DirectoryWatcher & ColdFusion Image Manipulation
Now that ColdFusion 8 gives us a crap load of image functions as well as event
gateways in all editions, I thought I'd write up a super quick demo on how...
Using Spry:hover, Spry:even, & Spry:odd All Together
One of the nicer features of Spry is the simple way you can apply even, odd, and hover classes to a dataset. This code will tell Spry to apply a CSS class named even for even rows, odd for odd rows, and to notice...
Yahoo Strategy Includes Attracting More Developers
Yahoo's old founder and new boss, Jerry Yang, outlined where the company is heading
now in a blog post yesterday. The three key items he sees after talking things
through with people in the company are...
AJAX - Too Much Choice
Last week I spoke with Todd Hay, VP of Marketing at ActiveGrid. "Too often, we fight ourselves in the AJAX community. For customers, there is too much confusion between AJAX libraries such as Dojo, JQuery...
Structure Versus Query
Over the weekend and Monday, there was an interesting thread on CF-Talk. You
can read the complete thread here.
The basic problem involved getting a particular piece of data to show up in the...
|
|
|
12.05.07
Using Robust Exception Information On A Shared Host
By Raymond Camden
I was recently contacted by a possible client who was looking for a code review.
As part of my standard "playing around" I noticed that his site was throwing errors with the full path information revealed. As folks know, I always recommend you turn off Show Robust Exception Information on a production machine.
There is no reason to use it in production and no reason you need if you use proper error handling. I informed the client of this (possible client, hope I get the job :) and he spoke with host. I was shocked by the response: I spoke with my CF web host, and they said they are the only ones who can disable Robust Exception Info in the CF Admin but that they won't do that because they use it to help clients debug their sites. I told him that they need a separate server (with it disabled) in addition to what appears to be this development server. Am I right? He claimed that users would only be able to find out the DNS (and snippets of code)...no security problem. I've used it, and I know it spits out quite a bit. I told him that a security expert told me I should disable it. He said he'd be glad to talk with you. What do you think?
Well, it is certainly true that your host is the only one who can change this if you are using shared hosting. What I found shocking though was their refusal to turn it off and their reason. Yes - the robust exception information is very useful. But if you want to use this information - use it where it makes sense - development. Not a live production server where the information could be used against you.
Those "snippets of code" could reveal things. For example, have you ever seen code like this:
<!--- foo is a valid, back door password --->
<cfif authenticate(u,p) or form.password is "foo">
The host has access to the log files. Those could be checked instead. This involves minimal additional work on the host's part. If they argue that the logs contain information from other sites on the box, show them the filtering options.
I'm suggesting to my client that they use error handling for now to address the issue. I'm also suggesting that they possibly move to a new host.
Comments
About the Author:
Raymond Camden, ray@camdenfamily.com
http://ray.camdenfamily.com
Raymond Camden is Vice President of Technology for roundpeg, Inc. A long
time ColdFusion user, Raymond has worked on numerous ColdFusion books
and is the creator of many of the most popular ColdFusion community web
sites. He is an Adobe Community Expert, user group manager, and the
proud father of three little bundles of joy.
|
